@Immutable @JsType public final class SafeUrl extends Object
A SafeUrl is a string-like object that carries the security type contract that its value as a string will not cause untrusted script execution when evaluated as a hyperlink URL in a browser.
Values of this type are guaranteed to be safe to use in URL/hyperlink contexts, such as, assignment to URL-valued DOM properties, or interpolation into a HTML template in URL context (e.g., inside a href attribute), in the sense that the use will not result in a Cross-Site-Scripting vulnerability.
Note that this type's contract does not imply any guarantees regarding the resource the URL refers to. In particular, SafeUrls are not safe to use in a context where the referred-to resource is interpreted as trusted code, e.g., as the src of a script tag.
Modifier and Type | Field and Description |
---|---|
static SafeUrl |
INNOCUOUS
The SafeUrl generated by
SafeUrls.sanitize(String) (or
portable.builders.SafeUrls ) when passed
an unsafe URL. |
static String |
INNOCUOUS_STRING
The innocuous string generated by
SafeUrls.sanitize(String) (or
portable.builders.SafeUrls ) when passed
an unsafe URL. |
Modifier and Type | Method and Description |
---|---|
boolean |
equals(Object other) |
String |
getSafeUrlString()
Returns this value's underlying string.
|
int |
hashCode() |
String |
toString()
Returns a debug representation of this value's underlying string, NOT the string representation
of the URL.
|
public static final String INNOCUOUS_STRING
SafeUrls.sanitize(String)
(or
portable.builders.SafeUrls
) when passed
an unsafe URL.
about:invalid is registered in http://www.w3.org/TR/css3-values/#about-invalid.
http://tools.ietf.org/html/rfc6694#section-2.1 permits about URLs to contain a fragment,
which is not to be considered when determining if an about URL is well-known.public static final SafeUrl INNOCUOUS
SafeUrls.sanitize(String)
(or
portable.builders.SafeUrls
) when passed
an unsafe URL. Wraps INNOCUOUS_STRING
.public String toString()
Having toString()
return a debug representation is intentional. This type has
a GWT-compiled JavaScript version; JavaScript has no static typing and a distinct method
method name provides a modicum of type-safety.
toString
in class Object
getSafeUrlString()
public String getSafeUrlString()